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(54) Secur« data processor with cryptography and tamper detection 



(57) The present invention is embodied in a 
Secured Processing Unit (SPU) chip, a microprocessor 
designed especially for secure data processing. By inte- 
grating keys, encryption/decryption engines and algo- 
rithms in the SPLT. the entire security prcicess is 
rendered portable and easily distributed across physical 
boundaries, the invention is based on the orchestration 
of three Interrelated systems: (i) detectors, which alert 
the SPU to the existence, and help characterize the 
nature, of a security attack; (ii) filters, which correlate 
the data from the various detectors, weighing the sever- 
ity of the attack against the risk to the SPU's integrity, 
both to its secret data and to the design itself; and (iiQ 
responses, which are countermeasures, calculated by 
the filters to be most appropriate urxler the circum- 
stances, to deal with the attack or attacks present. The 
present invention, with wide capability in all three of the 
detectors, filters and responses, allows a great degree 
of flexibility for programming an appropriate level of 
security/policy into an SPU-based application. 
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Description 

1. BACKGROUND. 

s [0001] This invention relates generally to integrated circuits for electronic data processing systems and more specif- 
ically to the architecture, implementation and use of a secure integrated circuit which is capable of effectively preventing 
inspection, extraction and/or modification of confidential Information stored ti^erein. 

[O0O21 There are many applications in which information has to be processed arwJ transmitted securely. Fa example. 
automated teller machines (ATMs) require the secure storage and ti'ansmission of an identifying key (in this context a 
10 password or PIN number) to prevent unauthorized intruders from accessing a bank custonfieTs account. Similarly, pay- 
per-view (PPV) cable and satellite television systems must protect keys which both distinguish authorized from unau- 
thorized subscribers and decrypt encrypted broadcast television signals. 

[0003] Typically, one or more integrated circuits are used to process the information electionk^ny. These integrated 
circuits may themselves store internal confidential information, such as keys and/or proprietary algorithms for encrypt- 

15 ing and decrypting tinat information, as well as implement the encryption/decryption "engine.' Clearly, there is a need 
for integrated drcuits which are capable of preventing an unauthorized person from inspecting, exti-acting, and/or mod- 
ifying the confidential information processed by such integrated circuits. Further, it is sometimes desirat)le to destroy 
certain confidential information (e.g., the keys) and preserve other confidential inforrnation (e.g.. historical data, such 
as accounting information used in financial transactions) upon detection of irrtrusion. 

20 [0004] One problem with existing security sy^ems is ttiat the confidential information (keys, encryption/decryption 
algorithms, etc.) is, at some point in the process, available to potential intruders in an unencrypted ("deartext") form In 
a non-secure environment What is needed is a single secure integrated circuit in which the keys and encryp- 
tion/decryption engine and algorittims can be embodied and protected from intruders. Such an integrated drcuit would 
effectively ensure that the information being processed (i.e., inputs to the chip) is not made available off-chip to unau- 

2S thorized persons excep[ in encrypted form, and would "encapsulate" the encryption/decryption process on tiie ch^ 
such tfiat tiie keys and algoritiims are protected. parti*cularly while in deartext form, from a variety of potential attacks. 
[0005] Existing secure integrated drcuits typically contain barriers, detectors, and means for destioying the confiden- 
tial information stored therein when intrusion is detected. An example of a t>arrier is the deposition of one or more con- 
ductive layers overiying memory ceils inside an integrated circuit. These layers prevent tiie inspection of the nnemory 

30 cells by diagnostic tools such as a scanning electiron microscope. An example of a detector and desti-oying means is a 
photo detector connected to a switching drcuit which turns off power to memory cells inside a secure integrated cff'cuit 
upon detection of light. When power is turned off, the contents of the memory cells, which may contain confidential infor- 
mation, will be lost. The theory behind such a security mechanism is that the photo detector will be exposed to light only 
when the enclosure of the integrated drcuit is broken, intentionally or by accident In either event, it is often prudent to 

35 desti-oy the confidential information stored inside the integrated circuit. 

[0006] One problem witii existing security systems is tiie "hard-wirecT nature of the process of responding to potential 
intrusions. Such systems are inheremiy inflexible because it is very difficult to change tiie behavior of the security fea- 
tures once tiie integrated circuit has been fabricated, The only way to alter the behavior of these security features is to 
undertake the expensive and time-consuming task of designing and tabricating a new integrated drcuit. 

40 [0007] Another consequence of a hard-wired architectijre is that it is difficult to produce custom security features for 
low volume applicationa This is because it takes a considerable amount of time and money to design, test, and fabri- 
cate an integrated circiit. Consequently, it is difficult economically to justify building small quantities of seem inte- 
grated circuits, each customized for a special environment. 

[0008] There are many situations in which it is desircdale to use the same secure integrated circuit, yet have the abHity 
4S to modify the security features in accordance with the requirements of tiie application and environment For example, if 
the secure integrated drcuit is used to process extremely sensKive information, it will be prudent to implement a con- 
sen/ative security "policy" - e.g.. destroying all the confidential data (e.g., keys) insMe tiie integrated circuit upon detec- 
tion of even a small deviation from a predetermined state. On the other hand, if the information is not very sensitive, and 
it is not convenient to replace the secure integrated circuit, the security policy could be more lenient • e.g., action could 
so be taken only when there is a large deviation from the predetermined state. 

[0009] Thus, it is desirable to have a secure integrated drcuit ardiitecture in which a broad range of flexible security 
poiides can be implemented. 

2. SUMMARY OF THE INVENTION. 

55 

[001 0] The present invention is embodied in a Secured Processing Unit (SPU) chip, a microprocessor designed espe- 
cially for secure data processing. By integrating tiie l<eys and tiie encryption/decryption engine and algorithms in tiie 
SPU. the entire security process is rendered portable and is easily distributed to its intended redpiente. witii complete 
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privacy along the way. This is accomplished by the following SPU-based features: positive identification and retiat^e 
authentication of the card user, message privacy through a robust encryption capability supporting the major crypto- 
graphic standards, secure key exchange, secure storage of private arid secret keys, algorithnrts, certificates or. for 
example, tiansaction records or biometric data, verif lability of data and messages as to their alteration, and secure 
5 authorization capabilities, including digital signatures, 

[001 1 ] The access card could be seen as a form of electronic wallet, hokJing personal records, such as one's driver's 
license, passport birth certificate, vehicle registration, medical records, social secudty cards, credit cards, biometric 
information such as finger- and voiceprints, or even digital cash. 

[001 2] A personal access card contemplated for everyday use shouki be resilient to the stresses and strains of such 

10 use, i.e. going through X-ray machines at airports, the exposure to heat if left in a jacket placed on a radiator, a mistyped 
' personal identification number (PIN) by a flustered owner, etc. Thus, in such an application, the SPU could be pro- 
grammed with high tolerances to such abuses. A photo detector triggered by X-rays might be cued a few moments later 
to see if the exposure had stopped. Detection of high temperature might need to be coupled to other symptoms of attack 
before defensive actiori was taken. A PIN number entry coukf be forgiving for the first two incorrect entries before tern* 

IS porary disabling subsequent functions as is the case with many ATMs. 

[0013] For an application like a Tessera Crypto-Card, a secure cryptographic token for the new Defense Messaging 
System for sensitive government information, the system might be programmed to be less forgiving. Handling proce- 
. dures for Tessera Card users may prevent the types of common, everyday abuses preserrt in a personal access card. 
Thus, erasure of sensitive information might be an early priority. 

so [0014] Various encryption schemes have been proposed, such as where a user creates ar^ authenticates a secure 
digital signature, which is very difficult to forge arKi thus equally difficuH to repudiate. Because of a lack of portable, per- 
sonal security, however, electronic communk:ations based on these schemes have not gained widespread acceptance 
as a means of conducting many standard business transactions. The present invention provkies the level of security 
which makes such electronic commerce practical. Such a system coukl limit, both for new and existing applk»tions. the 

ss number of fraudulent or otherwise uncollectible transactions. 

[001 5] Another possible application is desktop purchasing, a delivery system for any type of information product that 
.can be contained in electronic memory, such as movies, software or databases. Thus, multimedia-based advertise- 
ments, tutorials, demos, documentation and actual products can be shipped to an end user on a single encrypted CD- 
ROM or broadcast though suitable RF or cable channels. Virtually any content represented as digital information coukJ 

30 be sold off-line. i.e. at the desktop, with erxi users possibly permitted to browse and try such products before buying. 
.[0016] The encryption capabilities of the SPU could be employed to decrypt the infbrnrtation. measure and record 
usage time, and subsequentiy upload the usage transactions to a centralized billing service bureau in encrypted form, 
all with a high degree of security and dependability. The SPU would decrypt only the appropriate information and trans- 
fer it to a suitable storage medium, such as a hard disk, for immediate use. 

35 [0017] Information metering, software rental and vark>us otiier applications couM also be implemented with an SPU- 
based system, which coukl authenticate users and monitor and account for tiieir use and/or purchase of content, while 
securing confidential infbrmatton from unauthorized access through a flexible security policy appropriate to the specific 
application. 

[0018] This pay-as-you-go option is an iricentive to information providers to produce products, as it minimizes piracy 
40 by authenticating the user's initial access to the system, securing the registration process and comrolling subsequent 
use, thereby giving end users immediate access to the product without repeated authorization. 
[0019] Other aspects and advantages of the present invention will become apparent from the following description of 
the preferred embodiment, taken in conjunction with tiie accompanying drawings and tfdsles, which disctose. by way of 
exanple. the principles of the invention. 

45 

3. BRIEF DESCRIPTION OF THE DRAWINGS. 
[0020] 

so FIG. 1 is a simplified block diagram of the apparatus in accordance with the present invention, showing the Secured 
Processing Unit (SPU} for performing PDPS. 

FIG. 2 is a simplified block diagram of the Power Block shown in FIG. 1. 

55 FIG. 3 is a schematic representation of the Silicon Firewall. 

FIG. 4 is a schematic representation of an emtxxiiment of the Silicon Firewall shown in FIG. 3. 
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FIG. 5 is a schematic representation of an alternative emtxxiiment of the Silicon firewall shown in FIQ. 3. 
FIG. 6 Is a block diagram of the System Clock shown in FIG. 1 . 
s FIG. 7 Is a schematic representation of the Ring Oscillator shown in FIG. 6. 
FIG. 8 is a block diagram of the Real Time Clock shown in FIG. 1 . 
FIG. 9 is a flowchart of the firmware process for performing the inverting Key Storage. 

10 

FIG. 1 0 is a schematic representation of the Inverting Key Storage. 

FIG. 1 1 is a block diagram of an enrriaodiment of the Metallization Layer Detector shown in f IG. 1 . 

IS FIG. 12 is a schematic representation of an alternative embodiment of the Metallization Layer Detector shown in 
FIQ.1. 

FIG. 13 is a schematic representation of a second alternative embodiment of the Metallization Layer Detector 
shown in FIG. 1. 

20 

FIG. 14(a) is a flowchart of the firmware process for performing the Clock Integrity Cheek. 
FIG. 14(b) is a flowchart of the firmware process for performing the Power Integrity Chedt 
ss FIG. 1 5 is a flowchart of the firmware process for performing the Bus Monitoring Prevention. 
FIG. 1 6 is a flowchart of the firmware process fdr performing tine Trip Wire Input 
FIG. 17 is a flowchart of the firmware process for performing the Software Attack Monitor. 

30 

FIG. 18 is a flowchart of the firmware process for performing the Detection Handler. 

FIG. 19 is a sinplified representation of the stages of the Filtering Process, including correlating the detectors and 
selecting the responses. 

35 . 

FIG. 20 is a flowchart of the firmware process for performing the filtering of detectors and selection of responses in 
the context of a simple SPU application; in this instance, using an SPU-equipped PCMCIA card as a digital cash or 
debit card. 

40 4. DETAILED DESCRIPTION. 

a. General Architecture. 

[0021] A flexiljle architecture in accordance with the present invention permits extension and customization for spe- 
45 cific applications without a compromise in security. One physical embodiment of this invention is a single*chip SPU that 
includes a 20-MHz 32-Bit.CPU, based on the National Semiconductor NS32FV16 Advanced Imaging and Communica- 
tions microprocessor, but lacking that chip's Digital Signal Processing (DSP) unit. 

[0022] Referring to FIQ. 1 . the gross features of the SPU architecture are described. This description is not meant to 
be a literal description of the SPU layout as some features have been moved or regrouped in order to gain a better con- 

so ceptual understanding of the principles underlying the present invention. The SPU's Mk:ro Controller 3 is isolated from 
all off-chip input ~ such input regulated by the External Bus Interface Block 9 and the general purpose I/O Port Block 1 
-instead receiving programmed commands via an Internal Data Bus 10 from the on-board ROM Block 7. In one 
embodiment, the ROM Block 7 is configured at 32 KBytes, and tiie battery-backed RAM Block 8 is configured at 4 
KBytes. The Internal System Bus 1 0 cam'es all the major signals among the SPU peripherals, such as the address and 

55 data lines, read and write strobes, enable and reset signals, and the Mtoro Controller ctock signal. CTTL 25. 

[0023] The System Clock Block has a programmable internal high-frequency oscillator, and is the source, through 

SYSCLK 35. for the Micro Controller clock signal CTTL 25, which governs all peripheral iincttons. 

[0024] The Real Time Clock 5 for tfie SPU follows the IEEE 1212 standard, which specifies control and status register 
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architecture, aihd which builds upon and significantly enhances the UNIX time format (UNIX time being the number of 
seconds elapsed since January '1 , 1970). The Real Time Clock 5 is inpiemented through a binary ripple counter which 
is driven via RTCLK 29 by an off-chip external '32.768 KHz quartz crystal 14 in conjunction with RTC Oscillatpr 1 4 cir- 
cuitry. Through an offset in battery-backed RAM 8. for example, the Real Time Clo<* 5 provides UNIX t|m^,'and can 

5 implement a host of time-based functions and tirne limits under ROM Block 7 program coMrcA. One firmware routine 
stored in the ROM Block 9 woss-checks the System Clock'2 and Real Time Clocks sb as to overcome tampering with 
thelatter . ' '. "'•■^ r- 

[0025] The l/d f'ort Block 1 is a general-purpose programmable input/output jntertace which cap be ijsed to accesis 
off-chip RAM. and meet general I/O requirements. Ofl-chip, RAM (not showyii) would be typically used for information 

10 that cannot be accomrncdated.ihlernally but, for security and jaerformance reasoris. still needs to be closer to the SPU 
than main system memory or disk storage. This infbrmaton may be protected by modification detection codes, and may 
or may not be encrypted, depending on application requirements. In addition to serving as a ffWnrwry interface, s^eral 
signals on this port can be used to.impiement cryptogr^hk: alarms of trip vvire inputs, or even to zero inputs or keys. 
[0026] the External Bus Intei^ce Block 9'is the communicatfor^ port to the| host system. In one embodiment, it is 

15 the mean^ for getting the applic^libh cbmniands as well, as data to aiid from the SPU, and Isdesgned to match tlw ISA 
tjus stardard requirements. . ' ! . \ , . . 

[0027] The Power Block 13 switches between system and battery power depending on system power aviaiiljtoility. 
Power from an external battery (not shown) is supplied to the RTC Block 5, tfie RAM Bfock.S and a Status Register^l 
through VPP 24.'as well as bfl-cHip RAM (nor shown) through VOUt 23 wheri systerri pbwer is not available. The Poiver 
so Block 1 3 also provides agriais PWRGD 27. DLY.PWRGD 26 and CH!P_PWRGD 28. which, respectively, start the Sys- 
tem Clock 2. reset the Bus Controller 4 and enable the isolatiort of me battery-backed of fhe circuit from the hbn- 
battery backed parts through tha^ower Isolati^ 

[0028] A Sillcbn Rre^all 20 protects the irtternal drcuifry. from any external asyrnchronous or oBienivise anomalous 
signals, conditibnirig the inputis fi-om the' I/O Port Block 1 via PIN lines 32 or the External Bus Interface 9 via 
25 ADDR/DATA lines 33, this RESET 30 to the Bus Controller 4. as well as frorn a host of security detectors. Some inter- 
nally generated Wfihals. such as the output of the 

[0029] The Status Register 1 1 is Vie repository of all harcKware detector sigria|s jarrayed through the device to detect 
various attempted s^urrty breaches: DWectbrs.'may inclJide ia Photo b'^ectqr 1(B, Temper^tiire detector 17. Metalliza- 
tion Layer Detector 1 8 anjd Shy Additional Detectbrs 1 9 (represented' in ghost), for exarrpler hiigh/low voltage detectors. 

30 vibratton detectors, siand detectbrs. Each of these detectors may convey one or rriore bits of inforrriation which, in one 
embodiment, are stored in the Status Register 11 . The Stetus Roister 11 may also store internally generated signals, 
such as the ROLLOVER 34 signal from the Real Time Ctock 5 and this Valid RAM and Time (VRT) bit. used to verify 
the integrity of the iriformation stored in the RAM Block 8 and the time counter in the Real Time Clock 5. 
[0030] In one embodiment, a DES Engine 6 is provided as a ayptographic engine to encrypt and decrj^t data using 

35 its DES algorithm Alternatiye emt>odiments of cryptographic engines may be implemented entirely in hardware; or in a 
combination of hardware and software, and may use other cryptolbgical algorithms, including RSA or seaet algpr'rthrns 
such as RC2. RC4. or Skipjack or combinations thereof, the DES Engine 6 receives keys and data for the crypto- 
graphic process from the^RAM aock 8 under the control of the Micro Cbntroller 3. The data used could be application 
data supplied from the External Bus Interface '9 or protected data from the RAM Block 8. The DES Block 6. in one 

40 en^aodiment. performs a decryption of a 64-bit block in 18 dock cycles. Thus, with an SPU rated at 20 MHz. a single 
decryption will take approximately 90 ns. which amounts to a deayption rate of 8.9 Mbytes per second. 
[0031 ] Typfeally, the SPU receives "messages" in encrypted form. The cryptographic engine (e.g. DES Engine 6) uses 
keys, for example, "session keys" specific to a particular application transaction or "session". The cryptographic engine 
is thus used to encrypt or decrypt the messages, or perform other cryptographic operations as is well-known in the art. 

45 In addition to providing secure message transfer, the SPU also provides secure key transfer. By having, or indeed even 
generating a "master key" internally (using any of the well-known key generation techniques tor public or secret key 
algorithms), the SPU can recave session keys in encrypted form and, treating them like messages, decrypt thern with 
the cryptographic engine using the master key. Conversely, the SPU can encrypt and send messages in a secure man- 
ner. The master key, the decrypted session keys and other sensitive inf<x-niation (e.g. the encryption/decryption algo- 

so rithms) are stored in secure rewritable memory on the SPU, as described below. 

I. Power Block. 

[0032] The security requirements of the SPU impose special requirements on the power supply. As the Real Time 
55 Clock 5 is used to maintain accurate time and the RAM 8 is used to store and maintain information, both for the field life 
of the product, each must have a continuous source of power. VPP 24. w^ich here is supplied by the Power Block 13. 
[0033] Referring now to FIG. 2. the battery VBAT 21 and system VDD 22 voltages are supplied to the Power Switching 
Circuit 101. This circuit uses a conventional analog comparator to determine the higher of the two voltages. VDD 22 
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iv. Irrternal System Clock. 

[0049] A system clock compatible wvith POPS faces a series of design considerations: cost, governmental regulatory 
compliance, printed circuit board area, power consumption and last, but most important, security. Tne desire for high 

5 performance places a premium on clock speed, which is directly proportional thereto. 

K0050] The cost of clocking circuits increases with frequency, and external clocks may represent a sizeable fraction of 
the entire manufecturing cost. The greater the physical extent of the high-frequency circuitry, the greater the high-fre- 
quency EM emissions, resulting in both a problem for security as well as meeting FIPS 140-1 requirements. EM emis- 
sions can give surprising amounts of information to sophisticated attacters. ~ by analyzing the power spectrum, one 

10 might even deduce which type of algorithm is being processed at any particular time. As compared with an internal 
clock sitting right on the microprocessor, an external clock coupled to a microprocessor tannot be made to comply as 
easily with the FIPS 140-1 EMI/EMC requirements which impose limits on EM emissions. External docWng anange- 
ments can use significant real estate on printed circuit boards and hence restrict design applications. The desire to 
reduce power consumption favors internal clocks: they can operate at lower voltages than external ones, wfhich have to 

75 deal with high outside EM interference: and. they have smaller power dissipation capacitances owing to their smaller 
physical dimensioris. Moreover, the presence of an external clock allows a potential chq> attacker to manipulate the 
clock speed, a factor which may allow it to foil other security devices. 

[0051] Internal oscillators, of themselves, are not novel structures. One can find a programmable internal oscillator 'm 
Carver Mead and Lynn Conway. Introduction to VLSI Systems Addison & Wesley (1980), pp. 233-236. Another exam- 

20 pie is a phase-locked loop circuit which locks upon an external low frequency reference, as described by Brian Case. 
"Sony & HDL Detail Embedded MIPS Cores", Microprocessor Report, vol. 7. na 15. November 15^ 1993. This outside 
link through an external reference is conpletely inappropriate in a security environment, however. 
[0052] Refenring now to FIG. 6, the System Clock 2 is implemented using a standard S-dockK:yde shutdown. 5-ckx*- 
cyde enable, state machine once a change request has been detected. The Bus Interface and Decoder 151 selects and 

25 decodes three types of signals off the Internal Bits 10: the internal system clock signal CTTL 34 wrtiich is passed onto 
Power Block 13 as was.illustrated in FIG. 1: a St6p_CLK 166 signal to stop the System Clock 2: and the 4 bit signal 
OSC_FREQ 172. representing the programmed frequency for the Ring Osdilator 156 The OSC_FREQ 172 signal is 
stored in the Oscillator Control Register 152. and is fed into the Change Pulse Generator 153. The STOP_CLK 166 and 
PWRGD 27 signals are fed into AND gate 164, the output of which is fed into the Change Pulse Generator 153. AND 

30 gate 165. the set of entry latches 154. the Clock Edge Prohibit 155. and the resets lor the D flip-flops 159 163. Thus. 

when the Change " Pulse Generator 153 detects a change In any of He inputs, it generates a pulse 
CHANGE_DETECTED 167 which is latched onto the latch 158. The D flip-flops 159 163 act as a shift register, prop- 
agating the latched signal from latch 158 down the line in five clock cycles, the clocking generated by RINQ_CLK OUT 
1 TO, the output of the Ring Oscillator 1 56. When the signal has propagated through the last D flip-flop 1 63. it generates: 

35 (i) an 0PEN_LATCH 1 68 signal to the entry latches 1 54 and Clock Edge Prohibit 1 55: and (ti) a CLOSE_LATCH 1 69 
signal to the exit latcii 1 57 and the AND gate 165. thus resetting the latdi 1 SB. 

[0053] The 0PEN_LaTCH 1 68 signal, in conjunction with a high signal from the AND gate 1 64 will enable the Clock 
Edge Prohibit 155. which is a one-shot trigger generating a SHUTDOWN_CLK 171 signal for approximately 120 ns, 
allowing a new frequency to be programmed into the Ring Oscillator 156 without introducing transient glitches. At the 
40 same time, the CLOSE_LATCH 1 69 signal will remain low for one dock cycle, resulting in the output SYSCLK 35 having 
a longer duty cyde for one clock cycle, and then the data in the Oscillator Control Register 225 will con-espond to the 
output frequency of SYSCLK 35. 

[0054] The Ring Oscillator 1 56 itseK will now be described. To compensate for the wide process variations introduced 
in manufecture, resulting in variances in incfividual clock rates over a wide range, the Ring Oscillator 156 is programme- 
rs ble to sixteen different frequencies of operation: 22 MHz. 23 MHz. 24.8 MHz. 26.2 MHz. 27.7 MHz, 29 MHz, 31,9 MHz. 
34.3 MHz. 37.8 MHz. 40.2 MHz. 46 MHz. 51.2 MHz. 58.8 MHz. 64.9 MHz. 82.2 MHz and 102.2 MHz. The particular 
nature of frie Micro Controller 3. as well as concerns for the operational compatibility with the ROM 7. dictated that these 
nominal frequencies be divided by two before the signal leaves the Ring Oscillator 1 56 and is pro^rided to the Micro Con- 
troller 3 via SYSCLK 35. 

so [0055] Referring now to FIG. 7(a), one can see that this aforementioned frequency division is acconplished by the D 
flip-flop 210 whose output is RING_CLK_OUT 170. The OSC_FREQ 172 signals are supplied in pairs to one of two 
multiplexers MUX1 204 and MUX2 208. The output of MUX2 208 is fed to the D flip-flop 210 clock input and the NAND 
gate 209. The SHUTDOWN_CLK 1 71 signal is fed to the D flip-flop 210 reset and the NAND gate 209. Blocks 201 . 202. 
203, 205, 206. 207 are Chains of inverters, represented in FIGS. 4(b). 4(c). 4(c). 4(d). 4(e) and 4(e). respectively! 

ss Depending on the state of the OSC_FREQ 171 signals, from (0.0,0,0) to (1.i:i.1), asserted on the multiplexers MUX1 
204 and MUX2 208, the results yield an effective circuit varying in the number of inverters. In FIG. 7(b) a chain of 8 

inverters 211 218 is shown, each connected to VPP 24 through capacitors 219 226. These capacitors act to 

swamp all routing capacitance through the circuit. Similarly. FIG. 7(c) shows the coresponding 4 inverter chain, with 
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inverters 227,.... and capacitors 231 , ^1.234! FIG. 7(d) shows the 2 inverter chain vM\ inverters 2^5 and 2i36, capacitors 
237 and 238. Finally, FIG. 7(e} also shovys two inverters 239 and 240, but with only a single capacitor 241 attached to 
the output'bf the seoond inverter 240. Two'inyerters are required in this last case, because an even nuiTi)er of irrverters. 
in conjunction with the NAND gate 209, is r^uired to give the ring a net overall inversion, sustabiing th^ Ring Oscillator 

5 1 56. it is the con^iried propagation delays through all Oie inverters, the NAND gate 209 and the multiplexerB MUXI 204 
and MUX2 208 which generates tiie 16 ditferent frequencies of the Ring Oscillator 156 listed above. 
[0056] At manukctLiring tirne, thje frequency selected is based on calibration with ari established time standard. ITiis 
standard may be provided by tiie R^ Time diock: 5, or by "Start" and "Stop" time commands timed and sent from a 
trusted system. Using the Real Time Clock 5 provides the optimal calibration input. This calibration is accomplished at 

10 the same time secret keys are installed and can only be done in the manufacturing mode. The firial set frequency, as 
read from ttie loiwest four bits of the Osdllatpr Control Register 152, is stored in tiie tsattery-backed RAiyi 8 or some 
other non-volatile menibiy. Each time the device |s reset, or power is appSed, the device assures itself tfiat the final set 
frequency stored in non-volatife nieniory is correct by using modification detection codes, as described below. If the 
final set frequericy is iiiprrect then It Is loaded into the lowest four bits of the Oscillator Opntroi Register 225 thus re- 

15 establisNr^g ttie i^imal operatirig^ of tiie Ring Oscillator 1 56. If the final set freqiiency is incorrect, as stored 

in the non-vblatile rriembry, then no value is loaded iritb the Oscillatbr Control' Register 225, thus leaving it at its reset 
value. Leaving the Ring Oscillatbr 156 at its reset value, which i^ the lowest programmable frequency, ensureis proper 
operation of the device even under conditions of non-volatiie memory. iFpr iexarrple, it assures that the internal Micro 
Controller clod« input SYSCLK 21 6]s^never driv at too hi^jh a frequiency, which could lead to malfunction and possible 

20 security breach. " . ' ^ - 

V. Real-Time Clock:" ' ''''-''^'^ 

[0057] For the reasons disclosed above, as well as an innate temperature variability of about 30% over the SPU's 

25 operating range, tine System Clock 2 represents a secure but sornewhat inaccurate timing device, suitable for internal 
clocking of the Micro Controller 3, but not for keeping UNIX time or to control timed and time-of-day events. 
[0058] Referring to FIG. 1 . tiie RTC pscillator 14 is designed to produce a 32.768 KHrsignal, RTCLK 29, ttirough 
use of an external quartz crystal-15. Alternatively, one could bypass the RTC Oscillator 14 and generate RTCLK 29 
through an'e)derriar'clbd«. OSC_ON 42 allows the oscillator to be stopped even though battery pdwer is applied to the 

30 device. This prevents drain on the battery, as for example, while the system is in inventory before it is sold. The output 
RTCLK 236 from the RTC Oscillator 241 is used to drive tiie Real Time Clbck, as described beldw. 
[0059] With reference to FIG. 8, the Real Time Clock 5 consists of a binary Ripple Counter 302, a Bus interface and 
Decoder 301', and a Synchronization Block 303. The Ripple Counter 302 may be a conventional shift register an-ay with 
15 bits allocated to counting fractions of seconds, output via SFC 306, and 32 bits allocated to a seconds counter, out- 

3S put via SC 307. The value of SC 307, when combined with an offset in the local battery-tiacked RAM Block 8. produces 
the sought-after UNIX time. The final carry-over in the Ripple Counter 302 produces the ROLLOVER 34 signal:; 
[0060] The BUs' Interface and Decoder 301 interfaces with the Internal Bus 10 and supplies the system clock CTTL 
25, the aforementioned OSC_ON 42 signal, and signals CLEAR_RTC 304 and CLOCK_RTC 305. CLEAR_RTC 304 is 
used to reset the Ripple Counter 302. CL0CK_RTC 305 allows tiie Micro Controller 3 to clock the Ripple Counter 302 

40 without resorting to RTCLK 29, and thus permits testing of the device. 

[0061] As RTCLK 29 is ah external asynchronous signal, tiie resulting signals SFC 306. SC 307 and ROLLOVER 34 
need to be treated by the Synchronization Block 303, in the manner of the Silicon Firewall described earlier. Thereafter, 
the SFC 306 and SC 307 signals may be appropriately channeled through the Internal Bus 10 in response to polling by 
the Micro Controller 3. The use of the ROLLOVER 34 signal will be discussed in tiie context of the Rollover Bit dis- 

45 cussed below. 

[0062] in accordance with the alarm wake-up feature of the alternative embodiment discussed above, a Countdown 
Counter 308 (represented in ghost) is set by the Micro Controller 3 via counter control signals sent on the Internal Bus 
10. decoded by the Bus Interfeceand Decoder 301 and ti-ansmittedvia line(s) 310. Thus, when tiie Countdown Counter 
308 acconplishes a predetermined count, as clocked off the Ripple Counter 302 signals SC 307 or SFC 306, it would 
50 issue an ALARM 38 signal in the same manner as described above. In addition, the ROLLOVER 309 signal, passed 
through OR gate 309. may provide the basis of another wake up signal via ALARM 38. 

vi. Inverting Kav Storaqa. 

55 [0063] It is desirable to place secret information (e.g., the decryption key) in the volatile, or generally, re-writable mem- 
ory of the SPU. The secret information will be destroyed if power to tiie SPU is turned off. On tiie other hand, if tiie 
secret information is placed in non-volatile memory, an attacker can remove the SPU and at his leisure and by conven- 
tional means examine the information in the non-volatile m&mmy. 
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[0064] If secret irrformation is not loaded Into the volatile memory properly, an attacker may still be able to examine 
the SPU while system power is turned off and obtain the secret information. This is because the seaet information 
stored in conventional volatile nfiemory may leave a residue on tfie dielectric material of the SPU, which the attacker can 
read to obtain the secret information evert after power is turned off: VWien the secret information is loaded into memory, 
5 the voltage level of the memory cells causes charge to build up in the dielectric material of the memory cells. H the same 
secret information is'pjaced in the same memory location for an extended period of time, the dielectric material may be 
permanently affected the charge of the memory cells. VVheri this happens, it is possible to deterrhine the secret inlbr- 
mation even after power is removed from the memory cells. Further, it is possible to artificially 'age'' the memory cells 
(so that the dielectric material can be permanently affected in less time) by elevating the voltage and changing the oper- 
10 ating temperature of the SPU. 

[0065] Oiie aspect of the present invention is an inverting key storage arrangement wherein the secret keys are perf- 
odicalty inverted. As a result, the net average charge across all memory cells is the same, thus leaving no signature of 
a specially-selected key in the dielectric material of the memory cells which would be amenable to detection. 
[0066] In one embodiment of the invention, the inverting key storage arrangernent Is Implemented in firmware. The 
IS firmware includes a key inverting routine which is executed in a predeternm'ned time, e.g.. once every 100 ms. A flow- 
chart 800 which includes a key inverting routine 802 is shown in FIO. 9. Flowchart 800 contains a decision block 804 
which determines if, it is time to branch to inverting routine 80^. If the answer is negative, programs in the firmware are 
executed (block 8M); If it is time to execute the key inverting routine 802, flowchart 800 branches to block 808 which 
causes all access to the keys to be disabled, The embedded oontrpller then reads the key stored in votatile rnemory. 
so The bits of the key are inverted and theri stored back into mernory (block 810). In order to keep track of the current sta- 
tus of the inversion (i.e., whether the key is in a normal or tnvertisd stiatis), a key-inversion status bit ie assigned to keep 
track of the status. After the key is inverted, the status of the key-inversion status bit is changed (block 81 2). The access 
to the key is now enabled (block 814). Rowchart 800 can now branch to block 806 to execute other firmware routines. 
[0067] H is also possible to implement an inverting key storage arrangement using only hardware. PIG. 10 is ai sche- 
zs matic diagram of such an arrangement 820. which contains a JK flip flop 822 and a plurality of memory cells, such as 
cells 824 and 825. The strMCfture of these two cells are identical, and only one will be described in detail. Cell 824 eon- 
tains two OR gates 827 and 828. a J K flip flop 829. a NOR gate 830. an inverter 831 . and a buffer 832. A dock signal 
on line 834 is connected to the clock input of the two flip flops 822 and 829. A ToggleA.oad signal (T/L*) on line 835 is 
used to put the cells 824 and 825 in a toggle state when the signal is at a high value and the cells in a load state when 
30 the signal is at a low value. Thus, when the T/L* signal is low, the data on line 839 is loaded into memory cell 824. When 
the T/L* signal is high, tfie JK flip flop 829 will toggle according to the dock signal on line 834. A read signal on line 836 
is coupled to the enable terminal of buffer 832. The read signal allows the data stored In the memory cells to be read. 
The signal on line 836 indicates whether the ou^ut on line 839 is the original or the inverted signal. 

3S vH. Additional Security Features. 

[0068] In addition to the features described above, the SPU can certainly be rendered more secure in any numt>er of 
ways. For example, the physical coatng disclosed in application Ser. No. 08/096,537, Tanker Resistant Integrated Cir- 
cuit Structure", filed July 22, 1993, in the name of inventor Robert C. Byrne, and incorporated hera'n by reference, has 

40 a tamper resistant structure laid down in a pattern which would cover portions of the SPU. txjt expose others so that 
etching away the tamper resistant structure destroys the exposed portions. Thus, the SPU woukl not be easily disas- 
sembled or reverse engineered, because the tamper resistant structure would hide the active circuitry and removal of 
the tamper resistant structure woiild destroy the active circuitry. This physical coating would act as a natural adjunct to 
the Metallization Layer Detector (FIOS. 11-1 3). 

4S [0069] Another security feature that could prove useful is disclosed in application Ser. No. Q6[ , 

"Secure Non-Volatile Memory Cell", filed . 1994. in the name of inventors Max Kuo and James Jaffee, also 

incorporated herein by reference, which has an EEPROM cell providing protection against extemal detection of the 
charge stored within flie cell by causing any stored charge to dissipate upon the attempted processing of the cell. This 
type of EEPROM might fulfill tfie role of the ROM 7 block, or possibly even substitute iOr the Inverting Key Storage 

so described earlier (FIGS. 9,10). . 

b. Irnntementatlon of the Deteetors. 
t. Photo Detector. 

55 

[0070] If secure information resides in registers or memory of a VLSI device, often an attacker finds it fruitful to remove 
the packaging of such a device to impact such storage devices directly. This facilitates the investigation of the design 
architecture and makes it possible to probe internal nodes in an attempt to discover the secure information. Such pack- 
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age removal, or de-encapsulation, will thus likely expose the die to ambient light, even if inadvertently on the attacker's 
part. Detecting such light could act as input information for suitable responsive countermeasures to take place. 
100711 The construction of a light-sensitive device can be implemented In many standard CMOS processes without 
any extra ma^ or st^. For exanple. lightly doped N-type material exhiljits a conductivity proportional to the amount 
s of light to which the material is exposed. 

[0072] Referring to FIG. 1 , the Photo Detector 1 6 signal passes through the Silicon Firewall 20 before setting a bit in 
the Status Register 11. A pluraltfy of such detectors may be placed at strategfc places wrthin the SPU. which may be 
used to kxalize and further characterize the nature of »iy intrusion. 

10 II. High/Low T emperature Detector. 

[0073] The normal temperature operating range for the SPU is 0"C to 70"C. Any temperature above this range, in 
most applications, might well be considered to be the result of an intrusion attempt by an attacker, as for example, the 
heat generated by grinding away at the chip's outer layer. A substrate diode, well-known to the art, should be sufffclent 
15 for detecting temperature changes, ahhough any other comparable device known to those of ordinary skill in the art for 
performing terrqserature measurement diouU suffice. 

[0074] With reference to FIG. 1 . the Tenperature Detector 17 signal passes through the Silicon FirewaH 20 before 
setting a bit in the Status Register 1 1 . Nothing in accordance with this invention precludes a multi-bit f ieW characterizing 
a temperature scale, or a plurality of such detectors, to characterize any temperature differentials within the SPU. 

so 

III. Mfltalllzatlon Layer. 

[0075] Modern day integrated-circuit analysis equipment is able to probe the contents of an integrated circuit while 
power is applied to the circuit. As a result, it is possible to detect a key, or other secret data tor that matter, which is 

2S stored in volatile memory One way to protect the secret key is to cover the k^ with a metal layer which is able to deflect 
probing signals directed thereon. However, this metal layer could be removed or altered fairiy easily by an attacker. Con- 
sequently, protecting the key through the use of a metal layer, as contemplated in the prior art. is rather ineffective. 
[0076] One way to enhance the security of the metal layer is for the SPU to contain means for detecting any alteration 
of the metal layer which covers the key. or any particularly sensitive data for that matter. The SPU can then take actions 

30 to respond to the alteration. One embodiment of the invention is shown in FIG. 1 1 . The metal layer is divided into many 
metal traces, shown in FIG. 1 1 as parts 852-857. Each trace is connected to an oufout pin of a latch 860 and an input 
pin of a latch 862. These two latches are connected to the system bus 868, which is in turn connected to the Micro Con- 
troller and the memory. They are also connected to ttie Status Register 11 . Traces 852 and 853 pass over a first area 
864, traces 854 and 855 pass over a second area 865, and traces 856 and 857 pass over a tiiird area 866. 

35 [0077] During a system bus cycle, the individual output pins of latch 860 are driven to either a logic high or a logic low, 
depending on the value of a random number generator (either implemented in hardware or software). As a result, the 
traces 852-857 should be set to a con-esponding logic high or a logic low value. At a later bus cycle, latch 862 latches 
in the logic levels of traces 852-857. If any of the latched logic levels are different from the logic level originally driven 
by latch 860, it is assumed that an attack has been mounted on the SPU. 

40 [0078] Another embodiment of the invention is shown in FIG. 12. The metal layer is again divided into many metal 
traces, shown in FIG. 12 as numerals 902-904. These metal traces are connected to a logic high potential. FIG. 1 2 also 
contains a plurality of AND gates, shown as numerals 906-908, and a plurality of memory cells 913-916. Each of the 
AND gates 906-908 has one input terminal connected to one of the traces 902-904 and one output terminal connected 
to one of the power lines 91 0-91 2 of menxxy cells 91 4-91 6, respectively The other terminals of each of AND gates 906- 

45 908 are connected to power lines 909-91 1 . respectively These power lines 909-91 1 couW feed off VPP 24, for example. 
[0079] When the metal traces are in their normal condition, i.e., connected to a logic high potential, ttie inputs of the 
AND gates are in a logic high potential. Thus, ail the memory cells are powered by the outputs of the AND gates. How- 
ever, if any one of the metal traces is removed, the output of the corresponding AND gate will be changed to a logic low, 
which turns off the associated memory cell. Since the output of an AND gate is connected to the input of an adjacent 

50 AND gate, the output of the adjacent AND gate becomes a logic low, which tums off the memory cell associated with 
the adjacent AND gate. This sequence of events propagates until all the outputs of the AND gates become a logic low. 
As a resutt. all the memory cells are turned off resulting in the destruction of the data stored therein. This emixxiiment 
does not require any action of the Micro Controller and could amount to a last-ditch defense. 

[0080] A third embodiment of the invention is a LATN cell, shown In FIG. 13 as 920. LATN cell 920 is essentially a 
55 latch witii a weak feedback patii so ttiat any intrision in the ceil will cause the cell to toggle. A control signal on line 925 
is applied to a transmission gates 924 and. through an inverter 926, to another transmission gate 924. As a result, only 
one of the transmission gates is turned on at a time. When transmission gate 922 is turned on. a data signal on line 927 
passes throu^ an inverter 928 to output inverters 929 and 930. An inverter 931 is connected to inverter 929 in order 
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to provide an inverted output. When transmission gate 922 is turned off. the data signal is no longer connected to the 
output inverters. However, the output signal retains its value because of the feedback provided by an inverter 932 and 
transmission gate 924. 

10081] One of the important features of the LATN cell 920 of the present invention is that the feedback inverter 932 
s has weak output power. Thus, if the LATN cell 920 is exposed to radiation introduced by a probe, the feedback path is 
broken and the output value of LATN cell 920 would not be maintained. 

[0082] In all of these embodiments, the outpute thereof could be used as detectors, as symbolically represented by 
Metallization Layer Detector 18. feeding their signal through the Silicon Firewall 20 to the Status Register 1 1 . It should 
not be ignored that the Metallization Layer itself provides a passive defense to probing, as discussed below. 

10 

IV. RTC Rollover Bit and the Clock Inieority rhA/A 

10083] As discussed above, the Real Time Clock 5 uses a 32.768 KHz crystal to drive a Ripple Counter 248 whteh 
keeps UNIX time. Were one to replace this crystal with a frequency source several orders of magnitude higher, while 
IS the SPU is operating under battery power only, one couW conceivably roll the counter over a predetermined number of ^ 
pulses to the point where, when system power is reapplied, the Micro Controller 3 would not be able to detect that any 
discemable amount of time had passed since the previous time it was tumed on. The implicatione for varkMis applica- 
tions is serious, as for example: metering information, where the time the information was actually used and the dme 
subsequently charged for such use would have little bearing on each other. 
eo [0084] Prior art solutions to detect clock tampering have the drawback that they require the entire system to be always 
tip and running; typically, however, in order to minimize power consunption in times of non-use, most of the system is 
powered down while the real-time clock continues to run from batteries. Thus, the problem is to create a me^nism 
that can detect tampering of a real time clock without the use of the external system, such mechanism to be contained 
wholly within the real time clodt for security reasons, and be a minimal drain on the total power. 
25 [0085] In the present invention, referring to FIG. 1 . this problem is solved by the provision of a rollover bit in the Status 
Register 1 1. set by the ROLLOVER 34 signal. This rollover bit is configured to be read/write mask. i.e. it can only be 
cleared by writing a one to it when it already is set to one. and this write may only come from the Mtoro Controller 3, a 
feature which enhances security. The Rollover 34 signal is generated by the Real Time Clock 5 described above. The 
32 bite of the SC 305 output, as per FIQ. 8, represents a carry-over at 2^^ cycles, con-esponding to about 136 years 
30 when operating in conjunction with a 32.768 KHz crystal. This is well within the contenplated lifetime of any SPU prod- 
uct. Even clocking the circuit at something like 32.768 MHz. three orders of magnitude higher, were this tolerated by the 
oscillator circuitry wouM result in a rollover after every 49.7 days, a long time for a wouW-be attacker to wait, and even 
then such attacker wouid be foiled by the rollover bit feature, as a rollover should never occur within the ccmtemplated 
lifetime of the product, as just discussed. Resorting to a second rollover would not work, as the rollover bit cannot be 
as cleared by a second cany-over, as just described. 

[0086] This approach has the advantages of its low cost of implementation, the small amount of SPU real estate it 
requires, and its compatibility witti a simple ripple counter architecture, yet not inviting additional security risks. 
[0087] The security offered by the RTC Rollover Bit is supplemented by a general clock integrity check as shovwi in 
FIG. 14(a). The process begins at step 551 by reading back from RAM 8. or some special register, a prior readout of 
40 the Real Time Clock 5 stored by this process 552. A monotonicity test is performed by conparing the present time with 
the prior stored reading 553. If the presentllme is less, a security problem has arisen and is signalled 560 and the proc- 
ess should then terminate 558. If the present time is indeed greater, then it is stored for a future nranotonicity test 554. 
Next, a fixed benchmark performance test is conducted 555; many of these types of tests are well-known in the art and 
need not be alluded to here. The important thing is that such test take a given number of system clock cycles, CTTL 25. 
4S such length established during production time testing or alternatively, clocked at run time for the given number of 
cycles. At the completion of the Ijenchmark test, the completion time, as measured by the Real Time Clock 5, shoukl 
be stored 556. Thus, the benchmark test elapsed time, as measured by the Real Time Clock 5, cai be calculated and 
compared with the number of CTTL 25 clock cycles. The initial calibration of the System Clock 2, that is, the setting of 
its operational frequency. shoukJ provide the necessary conversion factor between the Real Time Clock 5 and the Sys- 
50 tem Clock 2. allowing such a comparison. As described earlier, the System Clock 2 also exhibits a considerable degree 
of variability with temperature; thus, the time comparison should take into account some operational tolerance 557. If 
the comparison falls outskie this tolerance, the security problem should be signalled SS9. but in either case the process 
would then terminate 558. 

55 V. VRT Security Bit and t he Power Inteoritv Check. 

[0088] The VRT Security Bit is provided to inform the system that both the battery and system power have simulta- 
neously dropped below an acceptable voltage, for example 2V. When that occurs, any volatile storage infomiation. as 
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well the time count in the Real Time Clock 5 may be lost. References to RAM 8 in this ccxitext will be deemed to include 
off-chip RAM powered by VOUT 23. Referring to FIG. 1 . the VRT bit may be implemented as a special bit in the Status 
Register 1 1 , with voltage dejection circuitry tied to VPP 24, such as pull-up or pull-down resistors, designed to make the 
bit go low in the absence of sufficient voltage. Thus, the VRT bit is cleared by the Power Block 1 3. and is only set by the 

s Micro Controller 3 via Status ReadA/Vrite lines 36. The VRT bit is used in conjunction with rewritable-memory modif ica- 
tton detection codes on flie RAM 8. to perform an overall integrity check on the battery-backed section of the SPU. The 
modification detection codes may be any one of an assortment of suitable codes, as is well-known in the art from a 
simple checksum, to a cyclic redundancy check (CRC), to more elaborate algorithms such as MD5 owned by RSA Data 
Security, Inc., each affording different levels of security, compactness and error recoverability. For example, a simple 

10 checksum, while easy to implement, allows a large degree of freedom for an attacker to ovenwrite the contacts of RAM 
8 while preserving the same overall checksum. Whichever modification detection code is used, the code result is con- 
ventionally stored along with the RAM 8 it is measuring. 

[0089] With reference now to FIG. 14(b). the general power integrity check process 251 will be described. As the SPU 
is powered up. the Micro Controller 3 performs the necessary initialization operations on the SPU 252. Then, the Micro 
15 Controller 3 polls the Status Register 1 1 to ascertain the state of the VRT t>it 253. If the VRT bit is set to 1 , a modification 
detection operation on the RAM 8 is performed 254. Then, ttie SPU determines if any modification has been detected 
255. if not, the SPU is said to be in its normal operating state, and thus should only implement commands that give 
restricted access to its secret data 256. and the process then exits 257. 

[0090] If a modif ication has been detected, the SPU is in an error state and so the security problem is signalled 258 
so and the process exits 257. 

[0091 ] If the VRT bit is set to 0, a modification detection operation is also performed 259. If no modif teation is detected, 
the SPU is in a secure, albeit low power state; in other words, afthough the RAM 8 presently checks out, tiie power can- 
not be trusted and so this problem should be signalled 261 and the process exits 257. 

[0092] Finally, there is the scenario where modification was detected, yet VRT is 0 ~ this modification detection is 
25 spurious as the RAM 8 is in a random configuration, i.e. it is said to be in the manufacturing state. The fbllowing is a 
desaiption of a response taken in one embodiment of this invention, and should not be read to preclude any number of 
possible responses in this state. In this one embodiment, the SPU could zeroize all secret data areas and use the 
default operational configuration parameters, such as the lowest System Clock 2 oscillator frequency, stored preferatdy 
in tiie ROM 7, to operate in the most ti-ustworthy state 262. The SPU tiien could enter a mode whereby manufacturing 
30 tests may be performed and the configuration parameters may be set 263. Then, any manufacturing tests may be per- 
formed in order to guarantee the reliability of the SPU 264. Once those tests have been made successfully, the sewet 
data, such as Uie keys, may be loaded, and a modification detection code performed on the entire contents of RAM 8 
and stored therein 265. Rnally, tiie SPU will set the VRT bit to 1, putting it into tiie normal operating state 266. after 
which the process may exit 257. 

35 

vi. Pm? MpnItprlrHl Pr»vgntlpn- 

[0093] W'rth POPS one is concerned with protecting secret information which, among other objectives, implies tiiwart- 
ing any attempt to monitor tiie internal data transactions that carry secret information. It is axiomatic that a device incor- 
40 porating POPS must have input and output ports, taking in data, performing operations on this data using tiie internal 
secret Information and then outputting the resulting data. If an integrated circuit could be altered in such a way that the 
secret information contained in the device could be extracted through an input or output port, or If a random fellure 
within the device caused this to happen, then the POPS system wouU no longer be secure. 

[0094] Prior solutions for keeping secret information have involved restricting such information to witiiin the confines 
45 of a single integrated circuit chip, thus preventing an interloper with standard evaluation tools from monitoring inter-chip 
data traffic and theretsy discerning the secret information. This confinement approach required a high degree of chip 
integration, in order that ail functions needing the secret information are implemented on the same piece of silicon. Also, 
input and output ports of these integrated drcuits would need to be disabled while secret information was being inter- 
nally transferred. 

so [0095] The prior solutions relied on tiie difficuKy in modifying already complete manutactured integrated circuits. This 
is no longer the case, as semiconductor evaluation tools have drastically improved in their sophisticata'on and capabili- 
ties. It is now possible to modify parts of an integrated circuit without damaging the other parts or the chip's overall func- 
tion. Thus, a device which would keep its secret information on internal tiuses only, could now be modified to transfer 
that information to its input or output ports. This is a lot easier to implement than aeating specially-made probes to tap 

55 into the internal bus. It should be repeated that even random failures within an integrated circuit have been known to 
result in a similar scenaria In botii cases, tiierefore, monitoring tiie input and output ports would allow the secret infor- 
mation to be determined. 

[0096] The basis on which to oomtiat this proti^em, in the present invention, is to aeate a mechanism internal to the 
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chip that verifies that the original design of the input or output circuitry has not been modified by either an attack or ran- 
dom failure, before bringing out any secret informatiori onto the internal bus. This is accomplished by interrogating crit- 
ical circuit conponents to ensure that they are intact and functioning correctly. The detection of a security breach could 
thus be acted upon accordingly, but at the very least, the bus should be disabled from bringing out any secret infbrma- 
5 tion. Also, the secret information should be brought out in several pieces, which has the virtue that, were a random hard- 
ware fault to occur precisely when seo-et information was brought onto the internal bus. then only a small and probably 
useless portion would be compromised. 

[0097] The SPU contains ports that allow data to be transferred from an internal secure bus to external buses. The 
implementation is brought about, in one embodiment, with special circuitry that is added to the input/output ports and 

10 special routines in firmware that are executed by the internal Micro Controller. The internal Micro Controller teeps an 
internal copy of the last data written to the output register of that port. The internal Micro Controller reads the contents 
of both the input and output registers; typically, only the input registers can be read by the internal Micro Controller. 
Before bringing secure information onto the txis, the Micro Controller interrogates the port to ensure that the last valid 
data written to the port is still In place: otherwise, the Micro Controller does not bring secret information onto the bus. if 

15 valid data is in place, then a portion of the secret data is brought onto the bus and transferred internally as necessary. 
The port is again checked to ensure that valid data is in place in the input/output port's output register. If the secret data, 
or any other data, is detected in the ports then the Micro Controller does not bring any other secret information onto the 
bus. This is continued until all secret informatbn is transferred to its internal destination. 

[0098] It should be noted that the use. or non-use. of the Bus Monitor is a process controlled from firmware. Referring 
so to FIG. 15, this process shall now be descrbed in detail. Upon the Start 320, the MIcto Controller 3 determines whether 
secret data needs to be tranefen'ed onto the Internal Bus 10 in step 352. If not, data may be transferred on the Internal 
Bus 10 in the conventional manner 353. If secret data is to be transferred on the Internal Bus 10, the Micro Controller 
3 reads back the output port registers 354, and stores them in temporary storage 355. In one entxxliment, before 
secret data is moved onto the Interna! Bus 1 0, non-secret data is sent over the Internal Bus 1 0 as a test 356. The output 
2S port registers are again read back 357. and compared with the previously stored read back 358. Should they prove dif- 
ferent, the process aborts and signals the security problem 325 and exits at step 362, but if they are the same, the proc- 
ess may proceed, as part of a loop, to determine whether any and all parts of the secret data have already been 
transferred on the Internal Bus 10 in step 359. If not. the next part of the secret data is moved on the Internal Bus 10 at 
step 360 and then the process loops back to step 357 to read back the output port registers again. If all parts of the 
30 secret data has been transferred, the process toops back to step 352 to control further data transfers on the Internal 
Bus 10. 

[0099] This approach has the virtue of relatively low cost implementation, without any special semiconductor process- 
ing. It also guards against combined physical and electrical attacks, as well as random failures. This system, by toeing 
implemented |n multiple blocks within the integrated circuit in conjunction with firmware operated by the Micro Control- 
35 ler, would be expensive and difficult to reverse engineer. 

vll. Tod Wire Input 

[01 00] Many of the concerns regarding attack on the input/output pins of the SPU, descrit>ed above in the context of 
40 the Bus Monitor Prevention, may be addressed through monitoring of just these pins, providing cryptographic alarms or 
trip wires to just those kind of attacks. An attacker may be monitoring any given pin, to determine its functionality. The 
PINs 32 of the I/O Port 1 , being programmable, are kJeally suited to detect any such unexpected read or writes. Fur- 
thermore, they may be used not only to detect an attacker usurping these PINs 32, but may also be used as inputs from 
off-chip external detectors, such as a battery of photo detectors arrayed inside a PCMCIA card. 
4S [0101] With reference to FIG. 16. the proems that begins at step 401 will now be described in detail. A given bit tfie 
Xth bit, on the I/O Port 1 is set to a 1 402. The process waits until the operating system has determined it is time Ibr the 
I/O Port 1 to be checked 403. This should take into account, for instance, when such pin needs to be used for regular 
I/O operations. When such time arives, the Xth bit is read 404 and checked if it is still a 1 405. If so, the process may 
return to its wait state at step 402. Othenwise, the process aborts and signals the security problem 406, and the process 
so exits 407. 

vlll. Software Attack Monitor. 

[0102] One of the least expensive ways to defeat the security system in a hardware device (which may contain a piu- 
55 rality of components such as a microprocessor. PAL's, etc.) is to mount a random data electronic attack on the hardware 
device. Specifically, an attacker coukJ send signals (which may be commands, data, or random signals) to the input pins 
of some of the components in the device and monitor the output pins of the same and/or different components. This 
kind of attack requires little or no special hardware, and the attacker may be able to learn confidential informatton con- 
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tained in or protected by the hardware device. 

[0103] A typical attack strategy is now described. An attacl^r would monitor the hardware and software operation of 
the components for some period of time during normal qseration. As a result, the attacker could determine the normal 
command structure of the programmable components in ttie hardware device. The attacker would then create his/her 

5 own command sequences (e.g., by slightly modifying the commands or the command operators, or even creating 
entirely different commands) based on the information obtairied. The reaction of the components to these command 
sequences is then recorded, as thus building up a "characterization database." As the operation of the components 
becomes understood, the signals sent to the components are no longer random but are designed to identify commands 
that could defeat the security of the system. 

10 [01 04J It can be seen from the above attack strategy that the components in the hardware device, including the micro- 
processor, will receive a large number of invalid commands, at least during the initial phase of the attack. Consequently, 
one aspect of the present invention is for the SPU to detect the occunrence of an excessive number of invalid commands 
and to take appropriate actions to defeat or hinder the attack. One should bear In mind that some perfectly innocent 
functions generate a series of invalid commands, as for example, when a computer upon boot-up interrogates all 

15 peripheral devices and ports to determine if they are present and active. 

[0105] One means by which to measure an "excessive number" of invalid commands is to determine the number of 
invalid commands per unH time. The appropriate time unit can be determined tjy: (1 ) the rollover time of a counter driven 
by an oscillator, such as FTTCLK 29; (2) a predetermined number of ticks of the F^eal Time Clock 5; or (3) a software 
timing loop. K the number of invalid commands per unit time exceeds a predeterniined value ("limit parameter"), appro- 

so priate action will be taken by the SPU. 

[0106] In some situations, ft may be preferable for the SPU to set several limft parameters, each having an associated 
action. FIG. 17 contains a flowchart 940 which includes four limit parameters. Note that the number of limft parameters 
is illustrative only, arxl any number of limit parameters may be used. The flowchart begins at step 940 and then sets the 
values of each of the four limft parameters 942. The flowchart then branches into a loop consisting of blocks 946-966. 

25 [01 07] In block 946, the SPU determines whether a command is valid. If the command is valid, ft Is processed in the 
regular manner (block 948). The flowchart then branches back to blod< 946 to fetch and examine another command. If 
the command is not valid, flowchart 940 goes to block 950, which calculates the number of invalid convnarid per unit 
time. The resiit of the dalculation is compared wfth the first limft parameter (block 952). If the resuH is less than the first 
limft parameter, then no tamper-reactivei action is taken, and the flowchart branches back to block 946 to process the 

30 next command. If the resuft is larger than the first limft parameter, the process generates a signal indicating a first level 
securfty prol}lem (block 954). 

[01 08] The flowchart then branches to blodt 956. which compares the number of invalid commands per unft time with 
a second limft parameter. If the number is less than the second limft parameter, then no addftional action is taken, and 
flowchart 940 branches back to block 946 to process the next command then. If the number is larger than the second 

35 limit parameter, the process generates a signal indicating a second level securfty problem (block 958). 

[01 09] The flowchart 940 then branches to block 960, which compares the number of invalid commands per unft time 
wfth a third limft parameter. If the number is less than the third limit parameter, no addftional action is taken, and flow- 
chart 940 branches t>ack to tjlock 946 to process the next command. If the number is larger than the third limit param- 
eter, the process generates a signal indicating a third level securfty problem (block 958). 

40 [01 1 0] The flowchart 940 then branches to block 964, which compares the number of invalid commands per unft time 
wfth a fourth limft parameter. If the number is less than the fourth limft parameter, no addftfonal action is taken, and flow- 
chart 940 branches back to block 946 to process the next command. If the number is larger than the fourth Mtrit param- 
eter, the process generates a signal indicating a fourth level security problem (block 958). 

[01 1 1 ] ft is of course up to the supervisory program to decide what steps to take in response to signals of the various 
45 limit securfty problems. The SPU can be programmed to take any or all appropriate actions. 

c. Programmable Security. 

[0112] The Programmable Distributed Personal Security System is based on the orchestration of three conceptually 
so distinct, but nonetheless, interrelated systems: (i) detectors, which alert the SPU to the existence, and help characterize 
the nature, of an attack; (ii) fifters. which correlate the data from the various detectors, weighing the severfty of the attack 
against the risk to the SPU's integrfty, both to fts secret data and to the design ftseif; and (iii) responses, which are coun- 
termeasures, calculated by the filters to be most appropriate under the circumstances, to deal wfth the attack or attacte 
present. The selection of responses by the fifters wouM be said to constitute the "policy" of the SPU. The present inven- 
55 tion permits a wide capability in afl three of the detectors, filters and responses, allowing a great degree of ftexbilfty for 
programming an appropriate level of securftyTpolicy irrto an SPU-based application. 

[Oil 3] The effectiveness of this POPS trio is enhanced signif icantiy by the other design features of the SPU architec- 
ture disdosed herein, tor example: the Power Block 13, Power Isolation 13, Silicon Firewall 20, System Clock 2 and 
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Real Time Clock 5, and the Inverting Key Storage. Although the implementation of some of these features creates secu- 
rity barriers, which do not strictly fit into the detector/filter/response paradigm, the presence of these ban-iers certainly 
slows or even thwrarts an attacker's progress, allowing lor more time to detect an attack, filter out the characteristics of 
such attack and thus make a more measured response thereta 

5 

I. Detection . 

|01 14] A wide variety of detectors have already been disclosed •- some implemented in hardware, others in firmware. 
Some may bear witness unambiguously to an actual physical intrusion into the SPU. such as the Metallization Layer 
10 Detector 18; others such as the Photo Detector 16 may be triggered by noninvasive means such an X-ray iof the SPU, 
or by very invasive means, such as the actual de-encapsulation of the chip. Again, the purpose at this stage is not to 
decide on the course of action, nor even to coordinate all related information; it is simply to report the detection and 
move on. 

{0115] Referring to FIG. 18, the process of how detectors are generally handled will now be descrlt}ed. The process 

IS begins 451 by a decision of whetfier the detector signal is generated by hardware or firmware 4S2. The exact nature of 
how this step is taken is unimportant. Here it is represented by an interrupt generated in the Micro Controller 3, txjt it 
could just as easily be based on some periodic polling of registers or any other equivalent method well-known to prac- 
titioners in the art. Even the distinction between firmware and hardware detectors is at a certain level irrelevant as the 
parallelism present in FIG. 18 shows. If the interrupt was generated by hardware, the Status Register 11 would then be 

so polled 453. In this implementation, the key to determining whether indeed any hardware detector was activated was that 
one or more bits of the Status Register 1 1 should have changed from the last time it was read 454. If so, the SPU could 
then take actions as dictated by its programmed policy 455. If not, either an error has occurred owing to a felse detec- 
tion or certain operational features are in play, such as flie signal owing to a periodic wal«-up of the SPU under battery 
power. In either case, action dictated by p>olicy. given such an en-or or feature, should then be taken 460. AKernatively, 

25 at step 452. had the signal originated in firmware, the process would set about determining the routine generating it 
461 . If such routine proved to be a valid one 462, again action should be taken as dictated by policy 455. Otherwise, 
action consistent with this en-or or possible feature should be taken, again as dictate by policy 463. All the aforemen- 
tioned scenarios thereafter converge. If, in accordance with one alternate emt>odiment disclosed herein, an alarm 
wake-up capability is provided, and the process was invoked owing to such an alarm 456, the process would then gen- 

30 erate the SLEEP 41 signal 459 and terminate 458. Otherwise, the process would return from interrupt or whatever 
housekeeping required in accordance with the particular implementation used 457 and then terminate 458. 

II. Filtering . 

3S [01 1 6] The programmable filtering process lies at the heart of POPS; without it one merely has hardwired and indis- 
criminate responses to various attacks. With reference to FIG. 1 9, ft\\s process itself consists of two stages: (0 correlat- 
ing signals produced by the various detectors to ascertain the attacks involved (FIGS. 19(8), 19(b), 19(c)); and (d) 
based on the attacks involved, to select an appropriate response (FIGS. 19(d). 19(e), 19(f)). There are. of course, oper- 
ational factors involved at both stages of this pro^ss. These factors may be statk: and intrinsically related to the type 
40 of application, the architecture of the SPU, etc.. or they may be dynamically varying and related to, for example: (i) the 
prior history or frequency of detected signals, responses, or all events; (ii) the present state of the SPU; (iii) the present 
stage or mode of the application; (iv) the potential harm a given attack may represent; or (v) combinations of factors or 
detectors, for exanple. coming from a given set, occurring in a particular order, or occurring within a fixed time frame. 
[0117] The oondHions whereby the detectors are correlated are as follows. In FIG. 19(a), a false alarm conditon is 
45 shown. A signal is detected, 501, without corresponding to any real attack. A^ 502. There are various means by 
which such a false almm could t>e discerned. For example, the detector producing the 501 signal coukl be polled 
once more to determine whether the first reading was spurious or not. Alternatively, it may be info-red from the state of 
other detectors. Such a scenario will be discussed in the context of FIG. 19(c). FIG. 19(b) demonstrates an opposite 
extreme, where a signal O^, 503 corresponds unambiguously to one attack. At, 504. However, most attacks will be char- 
so acterized as in FIG. 19(c), where each of one or more detectors. D^^ 505. 0^2 506 and D^^ 507, in conjunction with zero 
or more Actors, Fd 508. Fc2 ^09 are required to fully characterize a given attack. Ac 510. 

[0118] The selection of responses to attacks fall into the following categories. There Is. of course, the non-response 
Ro 512, in FIG. 1 9(d), whereby no action is taken for a given attack. A^j 51 1 . This may owe to a lack of capability, a delit>- 
erate design choice, or an application decision. In FIG. 19(e). analogous to the unarrd>iguous condition of FIG. 19(b). 
55 there is the unconditional response R« 51 4 to an attack A« 51 3. This may represent a last-ditch scenario, where all outer 
defenses have been breached and some unequivocal and serious countermeasure needs to be taken. On the other 
hand, it may also be an application decision. Finally, in FIG. 19(f), there is the general scenario w^ere one or mora 
attacks, A,i 515. Aq 516, in conjunction with zero or more factors, Ffi 517, Fq 518, Ff3 519, must have been or are 
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present, in order to select the response Rf 520. 

[01 1 9] By custom tailoring the correlation of the detector signals, as well as the selection of the responses, a program- 
mable security system can be application- as well as environment-specific. 

5 ill. Responses. ^ 

[0120] The final system of PDPS involves the provision of a wide variety of responses, to allow for a rich and full set 
of countermeasures to any conceivable attack scenario. These responses can be categorized into five major groups: (i) 
passive; (iO alarms; (iii) decoy activity; (iv) restriction of access; and (v) destructive. Examples of each are given in 
10 TABLE I. which is meant to be an illustrative, but by no means exhaustive, list. 



TABLE I 



Examples of Typical Rmponses 




Passive 


Alarm 


Decoy 


Restricted Access 


Destructive 


• Non-response 

• Log attack inter- 
nally 


• Signal local compu- 
ter 

• Signal remote com- 
puter 

• Set I/O Fort pin high 


• Random command 
response 

• Random external 
bus activity 


• Disable SPU for 
period of time 

• Require recertif lea- 
tion 

• Disabling use of 
Keys, passwords 


• Destroy keys 

• Destroy secret data 

• Disable SPU per- 
manently 



[01211 A passive response would be one where the SPU conveys no external sional. nor functions in any observable 
manner differently from its normal mode of operation. This would of course include the classic "non-response" dis- 
cussed earlier, but also an on-board logging of the attack with, its type, timestamp. context, eta 
[0122] An alarm response would indeed convey an extemaBy detectable signal. The SPU may signal the calling appli- 

30 cation, for instance, to alert the user that the SPU is aware of the attack and may have to proceed to more drastic meas- 
ures if such attack is not discontinued. In a situation where tiie SPU is connected via a network or modem to some 
monitoring computer, as for example, in an information metering context, the SPU may signal ttiat remote computer to 
tell that the local user is attempting to attack it. On the hardware level, an alarm may be implemented simply by setting 
a particular pin on the I/O Port 1 high. 

35 [01231 A decoy response is one that departs from the normal mode of SPU activity It may indeed mimic valid SPU 
activity. Examples would be to execute SPU commands, or to generate signals on the External Bus Interface 9. either 
selected at random or from some predetermined set. 

[01241 A restricted access response would be to disable some functions from the normal mode of SPU operation. 
Examples include disal^ing the SPU totally for some period of rime or until recertified in some manner, or disabling 
40 operations involving specific keys or passwords. 

[01251 Finally, there is the desti-uctive response, which disables functionality of the SPU pemianentiy Examples 
include destruction in memory, by aasing keys or other secret data, or permanent physical disablement, such as the 
burning out of internal fuses. 

45 d. Attack Scenarios. 

[01261 Now that the overall stiucture of the invention has been laid out, it is fruitful to descrSDe in detail the various 
attack scenarios, the manner in which they are conducted, the information or effect tiiey wish to achieve or access, tiie 
design features of the SPU that would thwart such an attacK factors that'are relevant in reacting to such attacks, and 
so finally, responses appropriate to such an attack. A summary of the applicable disclosed SPU features, detectors and 
responses is to be found in TABLE II. These scenarios are by no means exhaustive, but merely illusti-ative. All furtiier 
references, unless specified otherwise, are to elements of FIG. 1. 

55 
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TABLE li 





Summary of Attack Scenarios 


5 


Attack Type 


SPU Protective Feature(6) 


Triggered Detector<s} 


Suggested Response(s) 




Electrical Attack on I/O 


• Silicon Firewall 20 


• Bus Monitor 


• Random command 




rorts 


• Alarm wake up 


• Trip Wire Input 


response 


10 






• Software Attack Monitor 


• Random external bus 








• Metallization layer detector 
18 


activity 








* DisalUe SPU temporarily 


15 






• Photo Detector 16 


• Disatsle SPU permanently 




Clock Attack 


• Silicon Firewall 20 


• RTC Rollover Bit 


• Use other clock 






• System Clock 2 


• Monotonicity test 


• Disalsle metering func- 


SO 




• Real Time Clock 5 


• System/Real Time Clock 
cross-check 

• Temperature Detector 17 


tions 




Key Attack 


• Battery-backed RAM 8 


• Metallization layer detector 


• Disable use of keys 






• Metallization layer 


18 


• Desfroy keys 






• Inverting key storage 


• Bus Monitor 

• VRT Security Bit 






Physical Attack 


• Physical coating 


• Temperature Detector 17 


• Disable keys, secret data 


30 




• Metallization layer 


* Photo Detector 16 


• Destroy keys, secret data 




CombinatiDn Attack 


• Any/all of the above 


• Any/all of the at>ove 


- Any/all of the above 




User Fraud 


• Silicon Firewall 20 


■ RTC Rollover Bit 


• Signal Local Computer 


3S 




• Power Block 13 


• Monotonicity test 


• Signal Remote Computer 






• System/Real Time Clock 
cross-check 

• VRT Security Bit 


• Disable metering func- 
tions 

• Require recertification 



40 

I. Electrical Attack on I/O Ports. 



[01 27] Arguably, the simplest form of attack would be an electrical attack on the I/O Port 1 . This type of attack requires 
very little special hardware. The attacker sinply uses the same system configuration that is used in the normal applk»- 
45 tion. however instead of using the intended software, the attacker creates his own code to interrogate the device. The 
attacker could go one step further and place monitoring equipment on strategic points in the circuit, as for example, the 
SPU pins or PAL outputs. This wouki allow the attacker to more thoroughly characterize the chip in its normal operatton. 
and when it is under attack. 

[0128] The typical approach would be to monitor the hardware or software for some period of time during normal oper- 
so ation. From this the attacker could determine the normal command sequence. After this characterization, the attacker 
could then create his own command sequences based on the information he has obtained. He could try to slightly mod- 
ify the commands or the command operators to get the device to perform different functions. He might also try to issue 
cominands that he did not see before to see how the device would react. All during this process the attacker would be 
recording the responses to the different stimuli. As pattems are detected, the data that is issued to the device is no 
55 longer random but designed to further evaluate the particular operation. This continues unfil a particular operation Is 
fully characterized. It wouM be tfie attacker's intention to identify commands or responses that could defeat the overall 
system. For exanple, the attacker might be looking for a reset operation command, and could then issue such com- 
mand at Inappropriate tim^. 
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[01 291 The Silicon Firewall 20 would prevent asynchronous signals from the attacker ovenwhelming the system. The 
Software Attack Monitor (FIG. 17) would be very sensitive to the overall characterization process. Possibly appropriate 
responses, in accordance with the measured stages of the Software Attack Monitor, would be to lead an attacker astray 
with random responses, or eventual disablement of the SPU. 

5 

II. Clock Attack. 

[01 30] Many applications of the SPU could employ the Real Time Clock 5 advantageously, as for example in informa- 
tion metering. However, the Real Time Clock 5 could be attacked in a variety of ways. The external crystal 15 could be 

10 substituted to modify the frequency of the RTC Oscillator 15 and hence the internal Real Time Clock 5. The SPU is 
designed to perform integrity tasks, one of which is to check the Real Time Clock 5 against the System Clock 2 to see 
if it is operating in the conrect range (FIG. 14(a)). However, in one embodiment, these integrity tasks would be per- 
formed only when the entire system is powered; when system power VDD 22 is removed, when only the battery-backed 
Real Time Clock 5 remains c^erational. It is at this opportunity that an attacker could attack the external crystal 1 5 with- 

15 out immediate detection. As the Real Time Clock 5 uses a simple binary ripple counter, an attacker could advance ttie 
counter until it rolled over. Sii3sequently, the attacker could continue to run the dock forward to whatever given time 
reading he wished. This is analogous to the resetting of the odometer of a used car by an unscrupulous dealer. 
[01311 The inaccessibility of the Internal System Clock 2 to attack, and the Real Time Clock 5 buffering the time signal 
through an internal Silicon Firewall, certainly stand as baniers in the attacker^ way. The System Clock/Real Time Clock 

so cross-check of FIG. 1 4(a) would detect any switch on power ip. If an attacker tried to set the System Clock 2 off by cool- 
ing or heating the SPU, the Temperature Detector 17 would give such approach away, as well as a clock cross-check, 
hitherto successfully, eventually failing for falling outside the operational tolerance. Furthermore, an attacker attenpting 
to rollover the Real Time Ctock 5 wouU cause the ROLLOVER 34 signal to go off. A possible re^nse woukJ be to use 
the System Clock 2 to whatever extent possible in lieu of the Real Time Clock 5 should that clock prove untrustworthy. 

25 However, that option is highly application-dependent, in an information metering context. A more likdy response wouM 
be to disable ail metering functions. 

ill.Ks^^lta^ 

30 [0132] Secret information is stored in volatile memory, such as RAM 8 within the SPU, rather tiian ROM 7. This is 
done to prevent an attacker from gaining access to this information by simply de-encapsulating the SPU chip and "read- 
ing" the schematic. However, when keys or other such secret information are stored in volatile memory within a chip, 
one can deprocess the chip and detect residual charge in the volatile memory whtoh may reveal tfie contents stored 
therein. The act of deprocessing would cause power to be removed from the volatile memory, thus causing the data 

35 witilin the memory to be lost, as tiie charge decays within tiie semiconductor. However, if the volatile memory contains 
the same data for a prob-acted period of time, charge may build up in the dielectric portion of the memory cell, charge 
which may be feasible to detect despite removal of power. Also, it may be possible to artificially age tiie memory device 
by elevating the voltage and changing the operational temperature ot the silicon, thus making the SPU even more sus- 
ceptible to tills memory effect 

40 [01 33] As described earlier, ttie Inverting Key Storage (FIGS. 9, 1 0) feature would thwart such key attack t>y averaging 
out any residual charge. The de-encapsulatlon process would t)e rendered more difficult by the presence of the Metal- 
lization layer, and the Metallization Layer detector 18 would be set off the nrrament such layer was cut. The protocol of 
the Bus Monitor Prevention (FIG. 15). transferring only parts of keys from RAM 8 to tiie DES Block 6 via Internal Bus 
1 0 wouU hinder tracing the keys, as well as giving away such attempts. Possible responses might be to disable tiie keys 

45 or other secret data from use, or where the security concerns are very high, or the assault unrelenting, to finally desti'oy 
them. Active zerdzation could be used to assure such process of erasure is complete. 

Iv. Physical Attack. 

so [0134] An attacka' might ti'y to de-encapsulate a chip in order to reverse engineer it. Simple observation of the chip 
layout can lead one experienced in the art to determine where the Micro Controller 3. IAD Port 1 , memory, etc.. are 
located. Recognizing the pedigree of a chip. i.e. knowing the manufacturer and the series number and prior chips there- 
from, can also aid in the resolution of functionality. Some structures are laid down randomly; otiiers such as RAM and 
ROM are well-known and normally laid down in regular patterns via chip design macros, meaning that large areas of a 

55 chip need not be reverse engineered. Detailed resolution of ttie chip layout can result in reverse engineering of a chip, 
a process that might cost as much as $1 00,000 with today's technology. 

[01 35] Semiconductor industry evaiuatton tools now provide the capability of making edits to an integrated circuit after 
processing has been completed. For examf^e. Focused Ion Beam Mill technology has advanced to ttie point where the 
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equipment is <:ap^le of selectively removing or depositing material on the surface of an integrated drcuit. These 
devices can remove layers of metal and oxide and also lay down layers of metal on the integrated ctrcuH's surface. 
These devices are ostensibly used to det»jg integrated circuits by cutting metat traces that connect logic gates and by 
reconnecting the logical gates in a different manner. It is feasible to lay down internal probes; however, it is less costly 
and less difficult to modify an existing I/O port 

10136] This kind of attack would first be thwarted by the physical coatings on the SPU. then the Metallization Layer; 
both acting to make difficult the process of ascertaining the chip layout and to actuate a connection of a t^ probe to 
nodes within the SPU. Such an attack would likely trigger the Metallization Layer Detector 18. the Photo Detector 16. 
and running the altered circuit live under system power VDD 22 would likely trigger the Bus Monitoring Prevention (FIg! 
15). The same responses as given above would likely be appropriate as well. The actual act of de-encapsulation 
through grinding can create enough heat to trigger the Temperature Detector 17 as well as set off a vtoration detector, 
ard again, unless done in total darkness, exposure of the die would set off the Photo Detector 16. Disabling or even 
destroying the keys and secret data seem the most likely responses to such a scenario. 

V. Gomt>lnation Attack. 

10137] Deprocessing Is a sophisticated process, requiring first de-encapsulation and then placing the chip, under 
power, on an ion probing station. Such a machine can actually detect voltage potentials at different pans of the chip, 
resolving the operational characteristics thereof. The probe cannot observe through a Metallization Layer; however, this 
wouW only serve to slow such a machine down. The machine can also be used to remove the Metallization Layer and 
thus uncover previously secure areas. The attacker might even try to reconrwct any broken traces In the Metallization 
Layer before attenpting to access secret information. 

t0138] This attack would be slowed by practically every SPU protective feature, ti-igger practically all ttie aforemen- 
tioned detectors, and could certainly be frustrated by any of the responses discussed and nwe. No guarantee of abso- 
lute security can ever be made, but as here the SPU. subject to the full range of defenses, would make an attack so 
costfy in time and money, as to make the whole attempt pdntiess for the types of applications contenplated. 

vL User Fraud. 

10139] The tiirust of user fraud is not to reverse engineer the SPU; that is chiefly the province of parties wishing to 
reproduce compatible or competing SPU products. The fraudulent user instead wishes to use products incorporating 
an existing SPU outside of its intended use. e.g.. not paying, or being wholly undercharged, for information used 
through an information metering device, which is a likely fraud scenaria Thus, such a user may try sinple operations 
such as trying to rollover the clock, or by resetting the device at various operational stages, a user might iwpe to inter- 
fere with usage reporting or metering. Furtiiermore. also in the information metering context by ti-ying to ovenwrite the 
RAM 8, after a large purchase, with the contents of the same RAM 8. from before ttie purchase, a user might hope to 
erase the ti-aces of such transaction. 

[0140] The Power Block 13, with its powering up and down mechanisms, flie Silicon Firewall 20, and the Software 
Attack Monitor (FIG. 1 7), give an attacker little opportunity for tiirowing the SPU Into an unpredictatte or unreliable state 
by inopportune resets, as discussed before. The protection of the ROLLOVER 34 signal and the clock cross-checks 
have also already been well described. 

10141] In the intormation metering context, usage might be based on pre-set credit limits, that should the SPU unit 
foil, it would be presumed that the aedit limit had completely used, and thus the metering functions woukJ be disabled. 
The user could only overcome this presumption by physically turning over the unit to whatever servicing agent to prove 
it had not been tampered with, or by remote intenogation via modem for instance, and thereafter have the senricing 
agent woukl recertify the SPU device. 

e. Sample SPU ADPllcatten. 

[0142] Now that the architecture of the SPU. the nature of the detectors, the detection/filtering/response paradigm of 
POPS, and tine nature of expected attacks have been discussed, it would be useful to proceed through a sample awsli- 
cation which illustrates the principles of the present invention. For this purpose, a modest applfcation is postulated: the 
use of the SPU-equipped PCMCIA card, an "access card", whose sole function is to provide digital cash. It ttius oper- 
ates a simple debit-type card, programmed witfi a certain amount of money, and debited, through use of a PIN number 
in various transactions, until the entire programmed-in credit has been exhausted. 

[0143] The delectionyfiltBring/response process for this access card is as shown in FIG. 20. H is by no means meant 
to be comprehensive, nor necessarily truly realistic, but simply illustrative of the applicatksn-specifk; demands placed 
upon programmable security. References herein may also be made to other figures or particular elements present in 
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FKa. 1 . The process starts 1001 by determining whether any detector has been set off 1002. K not. the process loops 
back to 1002, preferably performing all the other tasks necessary to the application in the interim. 
[0144] If the Photo Detector 1 6 is set off 1 004, the next inquiry is whether such detection is sustained over a period 
of time 1034. For example, the access card may have been briefly passed through an X-ray machine at the airport. 

5 Such exposure should be very short term. Thus, if the exposure is not sustained, the event should just be logged 1 042 
and the process returns, through connectors 1043, 1003 to step 1002 (all references to connectors will hencefortii be 
dispensed with for the sake of clarity). If the e)q30sure is sustained, the next inquiry is whether this detection is in con- 
junction with other detectors going off. This may be the hallmark of many of the attack scen^os discussed earlier. If 
there is sustained photo detection in isolation, it is suspicious enough on its own that a prudent step might be to disable 

10 the access card until it is recertified by an appropriate agent 1 034, and thereafter the process loops back to step 1 002 
until further action is taken. Combined with other detectors going off, however, it might be best to disable the access 
card permanently 1 036, and the process would thus end there 1 037. 

[0145] If the Temperature Detector 1 7 is set off 1 005, it may then be only necessary to ask whether It occurred in con- 
junction with other detectors going off 1030. This differs from the Photo Detector 17 scenario in that it is more likely that 
IS an access card would be subject to high heat for innocuous reasons, as lor example, the user leaving the access card 
on the car dashtjoard aD afternoon. Thus, the application would be more forgiving to mere sustained high tonperature. 
In that case, the process may simply log the event 1042 and loop back to step 1002. Connbined with otiier detectors 
going off, it may indeed be wise to disable the access card permanently in step 1036. 

[0146] If the Metallization Layer Detector 18 is set off 1006, it wouM be hard to justify anything but a harsh policy to 
20 such an event such as to disable the access card perrhanently 1036. An exception wouU be where the Metallization 
Layer Detector 18 were of Uie LATN cell type (FIG. 13), which is so sensitive that other detectors should be correlated 
to make sure that a serious attack is indeed being made on the access card. 

[0147] H either the ROLLOVER 34 signal or tiie Clock Integrity Check (FIG. 14(a)) is ti^iggered (steps 1008,1009 
respectively), it may be safe simply to ignore tiiem 1 028 and loop back to step 1002. as this simply is not a time-sensi- 
25 five application. 

[0148] If tiie Power Integrity Check (FIG. 1 4(b)) is ti-iggered 1 01 0. two situations are possible: (i) tiie error state: or (ii) 
the low-power state. In the error state, tiie contents of RAM 8 are no longer ti-ustworthy, which merits that the access 
card be disabled permanentiy 1036. In the lowi30wer state, tiie RAM 8 contents are still trustworthy, but the battery 
power may soon fail, which therefore merits a message to tiie user to tiie effect that if the credit is not soon transferred 
30 to another access card, it may be irreparably lost 1026. In the latter case, the process would again loop back to step 
1002. 

[0149] If either the Bus Monitor (FIG. 1 5) or Trip Wire Input (FIG. 1 6) are ti-iggered 101 2, there appears little justifica- 
tion to do othenwise than to disable the access card permanently 1 036. 

[0150] If the Software Attack Monitor (FIG. 17) is ti^iggered 1014. a logical first step woukj be to determine if the 
35 access card is still in the handshaking phase 1016. This would correspond, for example, to the access card being 
inserted into a card reader and various protocols attempted until a proper link is established between the card and the 
card reader. In other words, this "handshaking" process should be excluded from serious security conskleration. There- 
after, a particularly important command tiiat the access card should be focused upon is the proper PIN number being 
issued by the user. Thus, the first time an improper command is given within tiie period of one transaction 1018, the 
<o process may simply log the event 1042. The second time an improper command is received within tiie period of one 
transaction 1020. the access card may issue a message to the user warning them not to do it again 1024, after which 
the process would again loop back to step 1002. The tiiird time an improper command is received within the period of 
one transaction 1021 , the access card may be disabled until recertification by an appropriate agent 1039; otherwise, it 
should be disabled permanently 1036. 
45 [0151] If none of the above detectors is triggered, the process woukJ loop back again to step 1002 to await further 
detected sgnals. 

[0152] Although the invention has been described in detail with reference to its presentiy preferred embodiments, it 
will be understood by one of ordinary skill in the art that various modifications can be made, without departing from the 
spirit and the scope of the invention. Accordingly, it is not intended that the invention be limited except as by the 
so appended claims. 

Claims 

1. A secure cryptographic chip for processing and storing sensitive information, indudlng messages received and 
55 generated by the chip and keys used to encrypt and deaypt the messages, and for securing the information 
against potential attacks, tiie chip comprising: 

(a) a ayptographic engine for performing cryptographic operations on messages using a f b-st key; 
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(b) one or more detectors for detecting events characteristic of an attack; and 

(c) a plurality of potential responses to detected events, whereby sensitive information is unencrypted only on 
the chip, where it is secure from attack. 

5 

2. A chip according to claim 1 and including a programmable filter for correlating detected events with one or more 
operational feictors and for selecting and invoking one or more responses based upon the correlation. 

3. A chip according to claim 1 , further comprising a key generator for generating a second key used by the crypto- 
10 graf^ic engine to perform cryp>tographic operations on the first key. 

4. A secure chip according to claim 1 and further comprising: 

(a) an internal system clock for synchronising functirais performed on the chip; and 

IS 

(b) an external signal synchroniser for synchronising to the internal system dock all asynchronous external sig- 
nals received by the chip. 

whereby the chip cannot be placed in an unknown state due to the receipt of asynchronous external signals. 

so 

5. A secure chip according to daim 4 wherein the exlernal signal synchronizer syrrchronises asynchronous external 
signals by accepting and using the signals only at selected times determined by the internal system clock. 

6. A chip according to claim 1 and further comprising: 

ss 

(a) an internal bus tor transfen-Ing information among con^nents of the chip: 

(b) an input/output port for transferring information between internal components of the chip and external 
devices; and 

30 

(c) a bus monitor for periodically comparing the contents of the input/butput port before and after the transfer 
of infbrmation along the internal bus, 

whereby the chip can detect unauthorised rerouting, to the inputAiutput port, of sensitive information transferred 
95 along the internal bus. 

7. A chip according to claim 6 wherein the bus monitor compares the contents of the input/oulput port before and 
after: 

4" (a) a firs b^ansfer of less than all of the sensitive information desired to be transferred along the int«'nal bus; 

and 

(b) a secorxl transfer of the remaining sensitive information, if no change in the contents of the input/output port 
is detected following the first transfer, 

4S 

whereby the chip can effectively prevent the unauthorised rerouting, to the input/output port, of sensitive informa- 
tion transferred along the internal bus. 

8. A chip according to claim 1 and further comprising: 

so 

(a) a real time dock controlled by an external dock crystal having a substantially consistent external dock cycle 
frequency; 

(b) an internal system clock for synchronising functions performed on the chip, the internal system dock cycle 
55 frequency within a pred^ermined range of accuracy: and 

(c) a dock integrity checking means for causing the chip to perform a reference operations requiring a prede- 
termined number of internal clock cycles elapsed per actual external dock cyde during the perfomiance of the 
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reference operation, whether the number of elapsed actual external clock cycles lies within the range of 
expected external clock cycles, 

whereby the chip can detect unauthorised tampering with the external clock frequency. 

5 

9. A chip according to claim 1 and further comprising: 

(a) a real time clock controlled by an external clock crystal having a substantially consistait external clock fre- 
quency, the real time clock having a counter fat counting the number of elapsed external clock cycles; 

10 

(b) a rollover detector for detecting whether the real time dock counter rolled over; and 

(c) a rollover bit, set upon detecting that the real lime dock counter rolled over, 

15 whereby. H the rolling bit is set during an operation not expeded to require a suffident nun*er of external dock 
cydes to cause the counter to roll over, the chip will deted unauthorised tampering with the external ckx* fre- 
quency. 

10. A chip according to claim 1 and further comprising: 

(a) a rewritaUe memory for storing sensitive information; 

(b) a power loss detector for detecting that the loss of both system and battery power is imminent; and 

25 (c) a VRT bit far indicating the sufficiency of system and battery power following the loading of sensitive infor- 

mation into the rewritable memory, tiie VRT bit being set upon Vne loacSng of the sensitive information into the 
rewritable memory and reset upon the detection of power loss. 

whereby the chip can deted the need to save the sensitive information prior to the actual loss of both system and 
30 battery power. 

11. A chip according to daim 10 and further comprising a rewritable memory modification detector tor detecting modi- 
fication of the rewritable memory, whereby the chip can detect the need to reload the sensitive information into the 
rewritable menwry. 

35 

12. A chip according to claim 1 wherein the chip comprises: 

(a) a rewritetole memory tor storing sensitive intormation having a substantially constant value; 
40 (b) a memory inverter for periodically inverting the contents of each ceil of the rewritable memory; and 

(c) a memory state bit for indicating whether ttie contents of each cell of the rewritable memory are In their 
actual state, or in the inverted state, 

45 whereby the contents of the rewritaUe memory contain effectively no residual indication of the constant value of the 
sensitive information. 
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